SharePoint 2013 App authorization policy (RunWithElevatedPrivileges for App )

Friday, August 23, 2013


 Allots of People ask Question’s on MSDN SharePoint 2013 forums. how they can host app on their public site. They want to use App Modules for Public facing site which have anonymous right or current user does not have permissions to. something like Elevate Privileges in developer`s term Elevate Privileges in App Module.  What i think Many developer start working API by small tutorials , sample code ,HOL and didn't understand what SharePoint 2013 New API is doing. new App Module is away with normally impersonation confusion and make it very clear for developers there is  no impersonation capability in the SharePoint 2013  API . so if  Elevate Privileges ,impersonation is not there how can  get thing to be done?. SO answer is the "App Only Policy".

The App Only Policy
In a Scenario App have to some work where current user does not have Permission. We will use “The App Only Policy”. When user did not provide any Kind of credential. An Oath access token is present but does not contain user information.  than we will evaluated the  permissions based App instead of user.
Authorization in SharePoint 2013 is divided in to two types of Entities.
 1st Permission for users.
2nd Permission for Apps.

App authorization policies types

 User-only policy—This user-only policy is the authorization policy that was always applied in SharePoint 2010. When the user-only policy is used, the authorization checks take into account only the user identity. An example of when this policy is enforced is when the user is accessing resources directly without using the app.

User + app policy—When the user + app policy is used, the authorization checks take into account both the user identity and the app identity. In particular, when this policy is used, authorization checks succeed only if both the current user and the app have sufficient permissions to perform the action in question.
An example of when this policy is used is when a SharePoint site has an embedded IFRAME that links to a Office Store app, and the app calls back to SharePoint to access SharePoint resources on behalf of the user. That is, when a Office Store app, which does not run in SharePoint Server, wants to act on behalf of the user to get access to the user's resources.

App-only policy—When the app-only policy is used, the content database authorization checks take into account only the app identity. In particular, when this policy is used, an authorization check succeeds only if the current app has sufficient permissions to perform the action in question, regardless of the permissions of the current user (if any).

Oath requires to generate App token. So App- Only Policy can only be used for  Auto Hosted Apps or  Provider Hosted Apps.  
SharePoint hosted Apps cannot use App-only policy.


To request  app to  use App-only policy  your app need to add attribute called “AllowAppOnlyPolicy”  in tag node of AppPermissionRequests with true value.             User Must be Site Collection Administrator for allow use of the app-only policy. 

On Code




Reference and Helpful Links
http://code.msdn.microsoft.com/office/SharePoint-2013-Make-app-6e3d1ee9



By Usama Wahab  Khan